Today’s cyber crime risk environment is unlike anything we’ve witnessed before. No longer are we dealing with lone wolf individuals “just playing around”.
Today’s technology crimes involve highly-developed, complex and effective hacking software – including ‘spy tools’ that have slipped into the wild.
When the first Creeper worm was created in 1971 in a research effort to replicate information on multiple devices instead of as a malicious tool, no one could have ever imagined the magnitude that this industry would grow to and in such a short amount of time.
The rapid rise of connectivity, with the growing importance of digital platforms, has allowed cyber crime to proliferate and evolve, to a point where it now changes and spreads faster than at any time in history.
Anyone who still thinks cyber criminals are individuals working in darkened basements is making a dangerous mistake: today’s cyber criminals are more of a syndicate, and few companies are fully prepared to withstand an attack. At its advent, the rapid development of the information technology industry, and the rise of hacking, caught corporations and governments flat-footed.
Many organisations still labour under misconceptions about the nature of cyber attackers. Many do not realise quite how large and organised these crime syndicates are, and how sophisticated their operations are.
Several years ago, global cyber crime was estimated to be worth more than the global illicit drug trade, and the relative ease with which criminals could make massive profits has spurred them on to become yet more active and aggressive.
It is estimated that cyber crime could cost organisations over $6 trillion this year, topping $10 trillion by 2025, according to Cybersecurity Ventures. The average cost of a data breach in South Africa is estimated at $2.14 million, more than any company can afford.
Organisations still treating information security as an add-on or an afterthought to their IT infrastructures are increasingly at risk. Few businesses realise how stealthy and patient some of these syndicates are, and how many years they may spend waiting for an opportune moment to attack.
History has shown us examples where hackers might drive past an office block and throw flash drives on the ground, hoping an ignorant passing employee would pick one up and plug it into their company laptop.
More recently, there have been reports of paid smash-and-grab attacks to steal key personnel’s laptops, and even threats being levelled against families to force employees to give criminals access to company systems.
However, cyber criminals do not usually have to resort to in-person interventions or violence to access company data: in most cases, old-fashioned social engineering is enough. Using phishing mails and social media now enhanced with more convincing content and even deep fake videos, cyber criminals are still able to successfully trick millions of victims.
The scale of breaches can be massive. A year ago, over 10 billion personal records were exposed from adult livestreaming site CAM4. In the past year, ShinyHunters exposed well over 300 million online credentials stolen in hacks of at least 30 companies. In August last year, a data breach at Experian potentially exposed the information of as many as 24 million South Africans and over 793 000 business entities.
Mark Simos, lead architect for the Microsoft Enterprise Cyber Security Group, notes in a series of business resilience blogs that attackers today are typically flexible, objective-driven, stealthy, patient and well-resourced, and they are often highly-skilled in the technologies they are targeting. Where they lack the skills in-house, there are cyber crime resources for hire. Their sole business objective is financial gain through cyber crime, and they are able to focus all their energies on accomplishing this goal.
Although the recent IBM – Ponemon Institute 2020 Cost of a Data Breach Report said data breaches cost South African companies over R40 million per breach last year, the true extent of cyber attacks in South Africa is likely not fully understood. Most local businesses that fall victim to attacks try to remediate quickly and keep the incident quiet, unless they are obligated to disclose it.
However, once the deadline for compliance with the Protection of Personal Information Act (POPIA) passes this year, we expect to see more reports starting to become public. This may prove to be beneficial, since organisations that still underestimate the risk will be forced to confront the extent of it.
In the face of inevitable attack, organisations have to start understanding the attackers, their methods and the targets within their own environment. They must audit their data assets and identify any potential risks to their data – and so their business resilience. They must move to mitigate risk wherever they can, so that when they do come under attack, their businesses can survive.
Share